How to fix a false positive

On Sophos UTM, mod_security can detect a far greater number of attacks, but also experiences a larger number of false positives. If your website is experiencing a lot of false positives, the best way to resolve them is to disable the specific rule IDs that are being detected.

To determine the rule IDs that are being matched, you'll need to check the Web Application Firewall log while browsing to your website and recreating the false positive. To open the WAF live log, navigate to Webserver Protection > Web Application Firewall > Virtual Webservers, and click on Open live log.

After experiencing the false positive, you should see something similar to the below in the WAF live log. The rule ID your looking for appears under the 'id' field, in the format [id "<rule number>"]:

To disable rules, you can browse to Webserver Protection > Web Application Firewall > Firewall Profiles, click Edit on the appropriate Firewall Profile, and then add the rule ID number into the Skip Filter rules box. The result will look similar to the following:

Infrastructure rules

There are certain rules we call infrastructure rules; they are core to the operation of the WAF ModSecurity. You should not disable these rules without possibly affecting other rules that are built upon these rules. If an infrastructure rule is added to the Skip Filter Rules list, then you make yourself vulnerable to other possible attacks.

981020

981021

981022

981175

981176

981200

981201

981202

981203

981204

981205

To block a false positive search the reverseproxy.log for non-infrastructure rules that were triggered before the infrastructure rule and add those to the Skip Filter Rules list instead. Keep in mind that the infrastructure rules are always the last rules to be triggered by an HTTP request.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.